Malware 'Slingshot' found infecting routers in Middle East and Africa

'Cyberespionage' platform has been operating unnoticed since 2012

Kaspersky Labs has just uncovered a sophisticated malware that appears to have been active for at least six years. The program is particularly insidious since its core is installed on a router rather than a computer. Researchers have named it “Slingshot” after some text that was found in the malware’s code.

According to a report put out by Kaspersky, Slingshot is not just a simple bit of malicious programming. In fact, the paper describes it as an “attack platform” able to perform many tasks including data gathering, screenshots, keylogging, clipboard monitoring, network, USB, and password data exfiltration, and more.

The program is highly sophisticated and appears to be used for cyberespionage. The researchers say it is similar to Project Sauron and Regin, but more advanced. It has been in operation since at least 2012, mostly in the Middle East and Africa. Researchers have so far found over 100 infected computers.

While Slingshot resides on the router, there are modules that it downloads to connected computers. The very first thing it does is replace a DLL in Windows called “scesrv.dll” with a malicious version of the same name and file size.

“Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others,” said the report.

Two of the larger helper programs are called Cahnadr and GollumApp.

Cahnadr is a kernel-mode module that is mainly responsible for hiding the presence of itself and the other modules. It is what allows the attackers to invisibly take over the computer. It is loaded with debug and rootkit countermeasures. It also monitors network devices and hides traffic.

GollumApp is an information gathering program injected by Cahnadr and is even more advanced, containing more than 1,500 user-code functions. It can grab passwords, clipboard data, hard disc patterns, and monitor desktop activity. It also has access to the camera and any devices connected through USB, and it runs with system privileges.

"Running in kernel mode, Cahnadr gives attackers complete control, without any limitations, over the infected computer."

Because of its sophistication, Kaspersky says that the software’s development had to have been very well funded. The researchers believe it was probably developed by an intelligence arm of a state government. They did not speculate on which nation may have produced it. However, there are circumstantial clues that point to it being a western power.

“Most of the debug messages found throughout the platform are written in perfect English,” the researchers were quick to point out. “The references to Tolkien’s Lord of the Rings (Gollum, Smeagol) could suggest the authors are fans of Tolkien’s work.”

There are also the targets to consider. Of the 100 or so infections discovered, most were in Kenya and Yemen. There were also examples found in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Targets were not limited to individual citizens as some government organizations and institutions were found to have been affected as well.

No instances of the malware have been reported in the U.S., but that is not too surprising since the malware exploits a specific vulnerability in MikroTik routers — a brand that is not very popular in North America.

If you are interested in the nuts-and-bolts details of the malware, Kaspersky has published its 25-page report online. It is long but pretty interesting.